Demystifying Risk Management
A lot of organisations seem to think that they need to get experts in from outside or that they need people trained and University educated to understand risk management within their organisation. But this is not the case; the reality is that risk management is simple.
I’m going to talk about how we can demystify risk management through a number of steps:
The first thing we need to do is understand what it is we do within our organisation- what are our activities? Who is involved? Who are our stakeholders? Once we understand the things that we do within the organisation, we ask one simple question: what can go wrong? If we also ask what has gone wrong in that activity in the past, you will find yourself with a comprehensive list of risks. Instead of asking what the risks to this activity are, ask yourself what can or has gone wrong in the past.
Once we have that comprehensive list of risks, the next thing we need to ask is- what would cause it to happen? This is a really important step, because if you understand what would cause the risk event to occur then you can put things into place to stop it from happening.
We also need to understand what the consequences would be should that risk occur. What we do in this case is develop a list of consequences in a qualitative format. Once we really understand the full scope of the risk we can identify what we need to do about it.
One of the most important things (which will be a subject for another day) is to talk about controls- what controls do we have in place to deal with these risk events and how effective those controls are. If our control environment is not effective, then the first thing we need to do is strengthen those controls- which can stop you from putting into place unnecessary controls.
To reiterate; the first thing we need to understand is what can go wrong or what has gone wrong in the past, then understand what caused it to go wrong and then understand what the costs are if it does go wrong. We look at the controls and our controlled environment and it’s effectiveness.
Once we’ve done all that we understand the risk before we go on and do risk analysis on it, we actually have a comprehensive understanding of the thing that can go wrong, the cause of what can go wrong and what we can do about it.